Windows 10 + FIDO: The End of Passwords?

Since last fall, Microsoft has spoken about its goals to eradicate the password with Windows 10. And this week, we finally got a peek at what they’re planning: The software giant will build support for FIDO authentication into its new OS, transitioning its user base “away from passwords and to a stronger form of identity.”

“Moving beyond passwords is one of the top priorities for us here at Microsoft,” Dustin Ingalls writes in a new post to the Windows For Your Business blog. “Our work in this area is one of the most important priorities for the upcoming Windows 10 release.”

So. What’s FIDO?

Microsoft describe FIDO as a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. Interoperability of FIDO products is a hallmark of FIDO authentication and for this reason Microsoft is confident that it will succeed in transforming the industry. FIDO solves a critical need for both enterprises and consumers alike.

That is of course very high level. So what does this look like in the real world?

Microsoft says that it is implementing FIDO 2.0 technology in the Windows 10 Technical Preview already, so that testers—and the FIDO 2.0 Specification Technical Working Group—can test it immediately. Based on Microsoft’s admittedly vague description, it appears that FIDO support is built into Windows 10’s sign-in process, Azure Active Directory (which can be used in this release as a Microsoft Account-like identity), and its integration with “major SaaS services like Office 365 Exchange Online, Salesforce, Citrix, Box, Concur,” and others.

More to the point, FIDO lets you authenticate yourself using “an enterprise-grade two-factor authentication solution – all without a password.” A second Microsoft blog post, Windows 10: Security and Identity Protection for the Modern World, explains what this might look like: You enroll your smart phone or another device as one factor and then use a “PIN or biometric, such as fingerprint,” as the second factor.

“This means that an attacker would need to have a user’s physical device – in addition to the means to use the user’s credential – which would require access to the users PIN or biometric information,” Microsoft explains. “Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC’s, networks, and web services as long as their mobile phone is nearby.” In essence, your smart phone would act as a “remote smartcard,” offering two factor authentication for both local sign-in and remote access.

Today, consumers can use two-factor authentication with their Microsoft account, but one of the factors is always their password. But that’s going to change, for both consumers and businesses. “Windows 10 will include Active Directory integration for on-premises scenarios and Microsoft Account integration for our consumer Microsoft services such as Outlook.com, OneDrive, and more.” This tells me that this support is not yet available in the technical preview. So it appears that only enterprises with compatible FIDO authentication solutions can test this right now.

Very interesting. I can’t wait to try this. And to get rid of passwords for good.